Lucene search

RedhatCVE-2013-1864

HistoryMay 23, 2014 - 2:55 p.m.

CVE-2013-1864

2014-05-2314:55:09

CWE-119

redhat

web.nvd.nist.gov

cve-2013-1864

portable tool library

ptlib

ekiga

denial of service

memory consumption

cpu consumption

pxml document

billion laughs attack

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

AI Score

6.5

Confidence

Low

EPSS

0.023

Percentile

89.8%

JSON

The Portable Tool Library (aka PTLib) before 2.10.10, as used in Ekiga before 4.0.1, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted PXML document containing a large number of nested entity references, aka a “billion laughs attack.”

Affected configurations

Nvd

Node

opalvoipportable_tool_libraryMatch2.10.1

opalvoipportable_tool_libraryMatch2.10.2

opalvoipportable_tool_libraryMatch2.10.7

opalvoipportable_tool_libraryMatch2.10.9

Node

ekigaekigaRange≤4.0.0

Node

susesuse_linux_enterprise_software_development_kitMatch11.0sp3

susesuse_linux_enterprise_desktopMatch11.0sp3

VendorProductVersionCPE
opalvoipportable_tool_library2.10.1cpe:2.3:a:opalvoip:portable_tool_library:2.10.1:*:*:*:*:*:*:*
opalvoipportable_tool_library2.10.2cpe:2.3:a:opalvoip:portable_tool_library:2.10.2:*:*:*:*:*:*:*
opalvoipportable_tool_library2.10.7cpe:2.3:a:opalvoip:portable_tool_library:2.10.7:*:*:*:*:*:*:*
opalvoipportable_tool_library2.10.9cpe:2.3:a:opalvoip:portable_tool_library:2.10.9:*:*:*:*:*:*:*
ekigaekiga*cpe:2.3:a:ekiga:ekiga:*:*:*:*:*:*:*:*
susesuse_linux_enterprise_software_development_kit11.0cpe:2.3:a:suse:suse_linux_enterprise_software_development_kit:11.0:sp3:*:*:*:*:*:*
susesuse_linux_enterprise_desktop11.0cpe:2.3:o:suse:suse_linux_enterprise_desktop:11.0:sp3:*:*:*:*:*:*

Vendor	Product	Version	CPE
opalvoip	portable_tool_library	2.10.1	cpe:2.3:a:opalvoip:portable_tool_library:2.10.1:::::::*
opalvoip	portable_tool_library	2.10.2	cpe:2.3:a:opalvoip:portable_tool_library:2.10.2:::::::*
opalvoip	portable_tool_library	2.10.7	cpe:2.3:a:opalvoip:portable_tool_library:2.10.7:::::::*
opalvoip	portable_tool_library	2.10.9	cpe:2.3:a:opalvoip:portable_tool_library:2.10.9:::::::*
ekiga	ekiga	*	cpe:2.3:a:ekiga:ekiga::::::::
suse	suse_linux_enterprise_software_development_kit	11.0	cpe:2.3:a:suse:suse_linux_enterprise_software_development_kit:11.0:sp3::::::
suse	suse_linux_enterprise_desktop	11.0	cpe:2.3:o:suse:suse_linux_enterprise_desktop:11.0:sp3::::::

References

lists.fedoraproject.org/pipermail/package-announce/2013-March/099553.html

osvdb.org/91439

seclists.org/oss-sec/2013/q1/674

secunia.com/advisories/52659

sourceforge.net/p/opalvoip/code/28856

www.ekiga.org/news/2013-02-21/ekiga-4.0.1-stable-available

www.securityfocus.com/bid/58520

exchange.xforce.ibmcloud.com/vulnerabilities/82885

www.suse.com/support/update/announcement/2014/suse-su-20140237-1.html

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

AI Score

6.5

Confidence

Low

EPSS

0.023

Percentile

89.8%

JSON

Related for CVE-2013-1864